Manage Mobile Devices

Manage Mobile Devices

After your mobile device users enroll with the GlobalProtect Mobile Security Manager, you can monitor the

devices and ensure that they are maintained to your standards for protecting your corporate resources and data

integrity standards. Although

GlobalProtect Mobile Security Manager

simplifies the administration of mobile

devices, enabling you to automatically deploy your corporate account configuration settings to compliant

devices, you can also use Mobile Security Manager for remediation of security breaches by interacting with a

device that has been compromised. This protects both corporate data as well as personal end user data. For

example, if an end user loses a device, you can send an over-the-air (OTA) request to the device to sound an

alarm to help the user locate it. Or, if an end user reports a lost or stolen device, you can remotely lock the device

from the Mobile Security Manager or even wipe the device (either completely or selectively).

In addition to the account provisioning and remote device management functions that the Mobile Security

Manager provides, when integrated with your existing GlobalProtect VPN infrastructure, you can use host

information that the device reports to the Mobile Security Manager to enforce security policies for access to

applications through the GlobalProtect gateway and use the monitoring tools that are built into the Palo Alto

next-generation firewall to monitor mobile device traffic and application usage.

This chapter describes how to manage mobile devices from the Mobile Security Manager and how to integrate

information learned by the Mobile Security Manager into your network security infrastructure:

 Group Devices by Tag for Simplified Device Administration  Monitor Mobile Devices

 Administer Remote Devices

116 GlobalProtect Administrator’s Guide Group Devices by Tag for Simplified Device Administration Manage Mobile Devices

Group Devices by Tag for Simplified Device Administration

A tag is a text label that you can assign to a managed mobile device to simplify device administration by enabling

grouping of devices. The tags you define can be used to identify a group of devices to which to apply similar

policies, to interact with OTA—for example to push a new policy or send a message. After assigning a tag to a

device, the tag is included in the host information profile (HIP) for the device. Because the HIP profile is also

shared with the GlobalProtect gateway, you can then create HIP profiles on the gateway to enable you to enforce

security policy based on tag value.

Because you can manually create the tags, they provide a flexible mechanism for achieving any type of device

provisioning or security enforcement that you require. For example, you could create tags to distinguish personal

devices from company provisioned devices. You could then create HIP objects that match specific tags,

providing endless possibilities as to how you can group managed devices for configuration deployment.

Or, if you want to be able to approve devices before you deploy policy to them, you could assign a tag to

approved devices and then create a HIP profile to only push policy to devices with the approved tag.

There are a couple of different ways to assign tags to mobile devices:

 Manually Tag Devices  Pre-Tag Devices

Manually Tag Devices

To manually tag devices, you would create the tags you need on the Mobile Security Manager and then assign

them to the devices after enrollment as described in the following workflow:

Create Tags and Assign them to Managed Devices

Step 1 Define the tags you need for monitoring devices, pushing deployment policies, or enforcing security policy on the GlobalProtect gateway.

1. Select Setup > Tags and then click Add.

2. Enter a descriptive tag Name for the tag. This will be the name that you will match on when creating HIP objects/profiles for deployment and/or security policy.

3. (Optional) Enter a comment (up to 63 alpha-numeric

characters, including special characters) that describes how you plan to use the tag.

4. Click OK to save the tag.

Manage Mobile Devices Group Devices by Tag for Simplified Device Administration

Pre-Tag Devices

To simplify administration of policies for corporate-provisioned devices, you can automatically pre-tag

corporate devices by compiling a list of serial numbers for the devices to be provisioned in a comma-separated

values (CSV) file and then importing them into the Mobile Security Manager. By default, imported devices are

assigned the tag “Imported.” Optionally you can add a second column to your CSV/XLS file for the tag name

if you want to specify any additional tags to assign to imported devices, for example if you have different levels

of access for different groups of users receiving corporately provisioned devices. You do not have to assign the

same tag to all imported devices.

Step 2 Assign tags to managed mobile devices.

Note You can also use this procedure to remove tags from devices, selecting the tags you want to remove and then clicking Untag.

1. Go to the Devices tab.

2. Select the devices you want to assign the tag to by clicking in the row that corresponds to the device entry. To simplify this process, you can sort the devices by any of the column headers or use one of the pre-defined Filters in the left pane.

3. Click .

4. Associate tags with the selected device(s) in one of the following ways:

• Click Add to display the list of tags you have created so that you can click one, or click New Tags to define a new tag on the fly.

• To browse through the list of tags you have created, click

Browse and then locate the tags you want to associate with the selected devices, clicking the to add each tag to the list of tags associated with the selected device(s). Repeat this step for each tag to associate with the selected device(s).

5. Click Tag to save the tag associations.

Step 3 Save the configuration. Click Commit.

Import a Batch of Devices

Step 1 Create a comma-separated values (CSV) file or Microsoft Excel spreadsheet that contains the list of device serial numbers in the first column and, optionally, a list of tags to assign to devices in the second column.

Create the CSV file in two columns without adding column headers as follows and then save it to your local computer or network share: Create Tags and Assign them to Managed Devices (Continued)

118 GlobalProtect Administrator’s Guide Group Devices by Tag for Simplified Device Administration Manage Mobile Devices

Step 2 Import the device list. 1. Go to the Devices tab and click .

2. Enter the path and name of the CSV or XLS File you created or Browse to it.

3. Click OK to import the device list and associate the Imported

tag with the devices, along with any other tags you defined per-device within the file.

Step 3 Verify that device import was successful. As soon as a device on the imported list enrolls, the tags you associated with the serial number will automatically be assigned to the device.

On the Devices tab, click View Imported. Verify that the devices you just imported appear on the list. Notice that device serial numbers for which you did not specify a tag value get the tag imported only, whereas device serial numbers that you specified one or more tag values for contain those tags in addition to the imported tag: Import a Batch of Devices (Continued)

Manage Mobile Devices Monitor Mobile Devices

Monitor Mobile Devices

One of the problems with allowing mobile device access to your corporate resources is the lack of visibility into

the state of the devices and the identifying information that is required in order to track down devices that pose

a threat to your network and your applications.

Monitor Mobile Devices

• Use the Dashboard for at-a-glance information about managed devices.

The Dashboard tab provides a collection of widgets that display information about the Mobile Security Manager status as well as information about the mobile devices it is managing. You can customize the which widgets display and where each one appears on the screen. The dashboard allows you to monitor mobile device information in the following categories:

• Device Trends—Show quick device counts over the past week for newly enrolled and unenrolled devices, devices that did and did not check in, and the total number of devices under management each day. You can click into each graph to see up-to-the minute statistics.

• Device Summary—Show pie charts that allow you to see the managed device mix by device model, Android model, iOS model, and operating system.

• Device Compliance—Allow you to quickly see counts of devices that may pose a threat, such as devices infected with malware, devices that don’t have a passcode set, or that are

rooted/jailbroken. Click into a widget to see detailed statistics about the non-compliant devices

• Use the Devices tab to see detailed device statistics about managed (or previously managed) devices.

Tips:

• Select a pre-defined filter from the

Filters list.

• Manually enter a filter in the filter text box.

For example, to view all Nexus devices, you would enter (model contains 'Nexus')

and then click the Apply Filter button.

• Modify which columns are displayed by

hovering over a column name and clicking the down-arrow icon.

• To perform an action on a device or group

of devices, select the device(s) and then click an action button at the bottom of the page. For details, see Administer Remote Devices.

The Devices tab displays information about the devices that the Mobile Security Manager currently manages and the mobile devices it has previously managed.

120 GlobalProtect Administrator’s Guide

Monitor Mobile Devices Manage Mobile Devices

• Monitor the MDM logs for a information on

device activities, such as check-ins, cloud messages, and broadcast of HIP reports to gateways. The MDM log will also alert you to high severity events such as a device reporting a rooted/jailbroken status. Additionally, the MDM log provides insight as to which device users are manually disconnecting from the GlobalProtect VPN.

From the Mobile Security Manager web interface, select Monitor > Logs > MDM.

Click the log details icon to view the complete HIP report for the device associated with the log entry. The HIP report collected by the Mobile Security Manager is an extended version of the HIP report, and includes detailed information including identifying information about the device such as the serial number, phone number (if applicable), and IMEI, device status information, and a list of all apps installed on the device, including a list of apps that are known to contain malware.

Monitor Mobile Devices (Continued)

Manage Mobile Devices Monitor Mobile Devices

• Monitor the HIP Match logs on the Mobile

Security Manager

From the Mobile Security Manager web interface, select Monitor > Logs > HIP Match. Click a column header to choose which columns to display.

• Monitor HIP Match logs on the GlobalProtect

gateway. On the gateway, a HIP match log is generated each time the gateway receives a HIP report from a GlobalProtect client that matches the criteria in a HIP object and/or HIP profile defined on the gateway. On the gateway, the HIP profiles are used in security policy enforcement for traffic initiated by the client. Or, monitor the HIP Match logs on Panorama for an aggregated view of HIP match data across all managed GlobalProtect gateways.

From the web interface on the firewall hosting the GlobalProtect gateway, select Monitor > Logs > HIP Match.

• View the built-in reports or build custom reports.

The Mobile Security Manager provides various “top 50” reports of the device statistics for the previous day or a selected day in the previous week.

By default, all reports are displayed for the previous calendar day. To view reports for any of the previous days, select a report generation date from the calendar at the bottom of the page. The reports are listed in sections. You can view the information in each report for the selected time period. To export the log in CSV format, click Export to CSV. To open the log information in PDF format, click Export to PDF. The PDF file opens in a new window. Click the icons at the top of the window to print or save the file.

Select Monitor > Reports. To view the reports, click the report names on the right side of the page (App Reports, Device Reports, and PDF Summary Reports).

122 GlobalProtect Administrator’s Guide

Monitor Mobile Devices Manage Mobile Devices

• Monitor the ACC on the firewall hosting the

GlobalProtect gateway. Or, monitor the ACC on Panorama for an aggregated view of HIP match data across all managed GlobalProtect gateways.

From the web interface on the firewall hosting the GlobalProtect gateway, select ACC and view the HIP Matches section.

Monitor Mobile Devices (Continued)

Manage Mobile Devices Administer Remote Devices

Administer Remote Devices

One of the most powerful features of

GlobalProtect Mobile Security Manager

is the ability to administer

managed devices—wherever they are in the world—by sending push notifications over-the-air (OTA). For iOS

devices, the Mobile Security Manager sends messages over the Apple Push Notification service (APNs). For

Android devices, the Mobile Security Manager sends messages over Google Cloud Messaging (GCM). This

enables you to take action quickly if you suspect that a device is compromised or if an employee leaves your

organization and you want to ensure that access to your corporate systems is disabled, or if you want to send a

message to a specific group of mobile device users.

 Interact With Devices

 Take Action on a Lost or Stolen Device  Remove Devices

Interact With Devices

Any time you want to interact with a mobile device, you select the mobile device or group of devices from the

tab and then click one of the buttons at the bottom of the page as follows:

Perform an Action on a Remote Device

Step 1 Select the devices you want to interact with.

1. Select the Devices tab.

2. Select the devices to interact with in one of the following ways:

• Select a pre-defined filter from the Filters list. You can select multiple filters to display a customized view of the mobile devices that have enrolled with the Mobile Security Manager.

• Manually enter a filter in the filter text box. For example, to

view all Nexus devices running Android 4.1.2, you would enter (model contains 'Nexus') and (os-version eq '4.1.2') and then click the Apply Filter button. You

can also add filters to the text box by clicking a field in one of the device entries. For example, clicking on and entry Android in the OS column automatically adds the filter (os eq 'android').

• To build a filter using the user interface, click the Add Filter

button, build the filter by adding attribute-value pairs, separated by operators, and then click to apply the filter.

124 GlobalProtect Administrator’s Guide

Administer Remote Devices Manage Mobile Devices

Take Action on a Lost or Stolen Device

If an end user reports that a managed device has been lost or stolen, you should take immediate action to ensure

that the data on the device is not compromised. Select the device on the

tab and then take one or more

of the following actions as appropriate to the situation:

Step 2 Select an action. Click one of the buttons at the bottom of the screen to perform the corresponding action on the selected device(s). For example:

• To send a message to the end users who own the selected

device(s), click , enter the Message Body, and then click OK.

• To request a device check-in, for example on filtered list of devices

that have not checked in within the last day (last-checkin-time leq '2013/09/09'), select the devices and then click to

send a push notification to the devices requesting that they check in with the Mobile Security Manager.

• To remotely unlock a mobile device (for example, if the end user

has forgotten the passcode), select the device and then click . The device will unlock and the user will be prompted to set a new passcode.

Secure a Lost or Stolen Device

• Lock the device. As soon as a user reports that a device is lost or stolen, you should lock it to ensure that the data on the device cannot be accessed if it is in the wrong hands. Select the device and then click to immediately lock the device. To access the apps and the data on the device, the device user must re-enter the passcode.

• Try to locate the device. Select the device and then click to sound an alarm.

• Remove access to corporate systems. This is

known as a selective wipe.

If you believe that a device may be in the wrong hands, but the user does not want you to wipe the personal data, you can “selectively wipe the device” by creating a deployment policy that returns an empty profile to the device and then click . When the new “empty” policy is pushed to the device, all profiles that enabled access to your corporate systems will be removed, including any data that was associated with those applications. See Define Deployment Policies for best practices and instructions for creating profiles.

• Erase all device data. This is known as a wipe

because it removes all device data, not just access to corporate systems.

To protect both the corporate data on the device and the end user’s personal data, the end user may request that you wipe all data on the device. To do this, select the device and then click .

Perform an Action on a Remote Device (Continued)

Manage Mobile Devices Administer Remote Devices

Remove Devices

Although end users can manually unenroll from

GlobalProtect Mobile Security Manager

directly from the

GlobalProtect app, as administrator you can also unenroll devices OTA. This is useful in cases where an

employee has left the company without unenrolling from the Mobile Security Manager on a personal device. To

unenroll devices, select the devices you want to remove on the

tab and then use one of the following

two options:

Remove Devices from Management

• Unenroll devices. To remove a device from the GlobalProtect Mobile Security Manager, but leave its device entry in the Mobile Security Manager, select the device and then click . This is a good option if the end user is still employed by your company, but the device will either permanently or temporarily be unmanaged. By leaving the device entry on the Mobile Security Manager you can still view information about the device, including historical HIP match logs, reports, and device statistics.

• Delete devices. To remove a mobile device from management and remove its device entry from the Mobile Security Manager, select the device and then click . This is a good option if you want to clean up the database to remove entries for users who are no longer with the company or to remove devices that have been replaced. Note, however, that this action will permanently remove the device record from the database. Additionally, if the device is enrolled at the time that you perform the Delete action, the device will be unenrolled and then the record will be deleted from the Mobile Security Manager database.

126 GlobalProtect Administrator’s Guide Create Security Policies for Mobile Device Traffic Enforcement Manage Mobile Devices

Create Security Policies for Mobile Device Traffic

Enforcement

The deployment policies you create on the

GlobalProtect Mobile Security Manager

provide simplified account

provisioning for access to your corporate applications for mobile device users. Although you have granular

control over which users get polices that enable access to which applications—based on user/group and or

device compliance—the Mobile Security Manager does not provide traffic enforcement of mobile device traffic.

While the GlobalProtect gateway already has the ability to enforce security policy for GlobalProtect app users,

the offering of HIP match information for mobile devices is somewhat limited. However, because the Mobile

Security Manager collects comprehensive HIP data from the devices it manages, by leveraging the HIP data that

the Mobile Security Manager collects, you can create very granular security policies on your GlobalProtect

gateways that enable you to take into account device compliance and tags from the Mobile Security Manager.

For example, you could create one security policy on the gateway allowing mobile devices with the tag

“company-provisioned” full access to your network, and provide a second security policy for allowing mobile

devices with the tag “personal-device” access to the Internet only.

Create Security Policy for Managed Devices on the GlobalProtect Gateway

Step 1 Configure the GlobalProtect gateways to retrieve HIP reports from the Mobile Security Manager.

Although the Connection Port value is configurable on the gateway, the Mobile Security Manager requires that you leave the value set to 5008. The option to configure this value is provided to enable integration with third-party MDM solutions.

See Enable Gateway Access to the Mobile Security Manager for detailed instructions.

Manage Mobile Devices Create Security Policies for Mobile Device Traffic Enforcement

Step 2 (Optional) On the Mobile Security Manager, define the tags you want to use for security policy enforcement on the gateway and assign them to managed mobile devices.

See Group Devices by Tag for Simplified Device Administration for detailed instructions.

Step 3 On the GlobalProtect gateways, create the HIP objects and HIP profiles you will need for enforcement of mobile device traffic policies.

See Configure HIP-Based Policy Enforcement for detailed instructions.

Step 4 Attach the HIP profile to the security policy and then Commit the changes on the gateway.

128 GlobalProtect Administrator’s Guide Create Security Policies for Mobile Device Traffic Enforcement Manage Mobile Devices